firewalling...

Ian Molton <imolton at clara.net> wrote:
>> --->PRE------>[ROUTE]--->FWD---[ROUTE]----->POST------>
>> mangle | filter ^ nat
>> nat | |
>> | |
>> v |
>> IN filter OUT mangle
>> | ^ nat
>> | | filter
>> v |
>>>>
> how do packets enter the tables? When a packet comes in, is it
> presented to the mangle tables prerouting chain, and then,
> failing a match, to the nat tables prerouting chain?
Well a packet from the internet to the local host would travel
like this: come in on the NIC, then traverse PREROUTING in mangle
table, then traverse PREROUTING in nat table, then the kernel does
the routing decision, ie. decides where to send it, then it
traverses the INPUT chain of the filter table, and finally the
application listening there will receive it.
Note that only the first packet of each connection will traverse
the nat table.
> also, doesnt the nat table have a MASQUERADE chain? where does
> this figure in the above diagram?
There is no MASQUERADE -chain-. There is a MASQUERADE -target-,
which is something quite different. You can -j MASQUERADE, which
means you want to do a specialized form of source NAT on the
packet. But there is no chain called MASQUERADE. Masquerading is
done in the chains of the nat table.
Cheers,
Dan
--
Daniel Roethlisberger <daniel at roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
--
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message